Kamila Fitchett

Is your business ready for GDPR?

Short History About Data Protection Act (DPA)

In the UK, the first data protection legal act was introduced in 1984, which referred to a ‘Data Subject’. At this time, there were very few computers connected to each other, there were no social media platforms nor computer viruses. The main aim of the data protection document was to ensure that the collected data was accurate and up-to-date.

After the Internet was available to the public and with companies such as Apple and IBM starting their mass production of personal computers, this changed the behaviours in the cyber world and increased the risk of data breach including ‘sensitive personal data’. In 1998 the Data Protection Act was introduced to protect online users.

Although the 1998 Act announced new principles such as keeping data secure, processing data fairly and generally more restrictions around transferring data internationally, it left some gaps that companies could exploit. For example, data transfer information was hidden within a lengthy Terms and Condition document and the consent agreement had an already “pre ticked” box. Businesses also didn’t assume any responsibility for data from the moment it was passed to another organisation.

Introducing GDPR

GDPR stands for General Data Protection Regulation and it was proposed by the European Union to fill in the gaps mentioned above. New regulations will be in place from May 2018 and they will focus more on greater rights to the data subject, stricter reporting concerns and higher penalties for not complying with new rules (4% of global turnover or 20 million Euros).

Organisations which process data will now have to make sure that they have an individuals permission to use it. A person will have the right to have their data deleted and people will have the right to ask for their data in a ‘common’ machine-readable format. Although it might seem to be a simple task, some companies can struggle to meet this requirement if they use bespoke database software that doesn’t provide these features. These are only a few examples of new, changed or updated data protection regulations.

In the growing trend of e-commerce websites and payments over the Internet, GDPR puts more emphasis on online data security to make it harder for cyber theft to hack personal information. It also makes adjustments to online behaviour changes and the type of data that can be gathered by just connecting to the Internet and browsing any website. GDPR’s new definition of ‘sensitive personal data’ is extended to an on-line identifier such as an IP address or any biometric data including fingerprints.

How to prepare for new General Data Protection Regulations?

Although new regulations will only apply from May 2018, it’s recommended to start preparing as soon as possible to avoid the risk of penalties by not complying with the new data protection regulations. It’s worth bearing in mind that preparation for the GDPR compliance is not just an IT project but something which requires an involvement and process review across the whole company activities. This includes employees, who will need to be informed and made aware of data protection as well.

It is now also important to know which third parties are using your data and whether they comply with the new regulations. Any business that collects, and shares data will now have the responsibility to know whether their suppliers and partners are GDPR compliant.

According to the new regulations, individuals have more rights to access, edit or even remove their personal data from your database. Although previous DPA allows users to retrieve their information, businesses usually charged for it. GDPR now puts an emphasis on free of charge access.

What should you look at to make your website GDPR compliant?

Below we present a few things you should look at if you have a website that collects any type of personal data:

Your Privacy Notice should be reviewed and rewritten to meet the new GDPR requirements. It should be written in a simple and understandable language. Users should be informed about the purpose of data collection at the time the data is obtained, and “pre-ticked” boxes are not allowed. The Privacy Notice should include information on how the data is collected, stored and how long it is stored for. Users should also have a simple way to withdrawn consent and the Privacy Notice should state how to do it.

Only data that is needed should be collected. Businesses can’t collect all information about a user just because they want to. It needs to clearly specify the purpose of collecting and using their users data.

Users will have now have the right to access their own data; in this case, a commonly used format of providing data electronically to users should be available. Data portability requires that electronically entered data by the user should be able to retrieve and transmit in machine-readable format; a user can transit them to another service provider (ex. Social media, cloud storage). It only applies to data provided by the user such as name, email etc. But it’s not applicable to profiling data, analytical data and paper data. This information needs to be delivered securely to the right individuals (authentication might require login/password protection and warning dialog before download). This whole process should be encrypted.

If a record was shared with other 3rd parties, they should be informed about any changes in the hold record. Having a record in your database of what 3rd parties are using it, will help you to keep track and inform other organisations if the record was updated.

Your website should demonstrate the ability of data security by applying an SSL certificate and by using other technologies to encrypt sensitive and personal data.

GDPR also references to something called ‘pseudonimisation’, which means, for example, using two separate tables; one with reference ID and the other with names , then a joined table could be used to retrieve data (data encryption).

Another regulation introduced by GDPR is called ‘Privacy By Design’, it can be demonstrated by applying on your website different database roles and restrict access to specific data. It means that a user will only have access to the necessary information to perform a task. In another example, if the IP address is collected unnecessarily while browsing the website, then it shouldn’t be stored.

As the website owner, you should also have information about who has the access to the system. This will give a better control and management of unauthorised access.

Although the UK is in the process of leaving the European Union, the new GDPR regulations will still apply to UK businesses. There is still time to prepare your business for the new data protection law to avoid costly penalties.